Hackers Earn 1.7 Million from Click2Gov Breach

20 December 2018

The convenience of being able to pay bills, fines, and taxes online can be seen as a far superior method of standing in queues waiting for an open teller. This convenience should be balanced with security. Users are entering credit card details and other important personal information. Any security measures taken should be robust but that may be an ideal even if it seems logical. Click2Gov, a website which enables users to pay bills online, appears not to have taken security as seriously as should be done.

Click2Gov is used by many US states and cities to expedite the paying of utility bills and fines by residents. Developed by Central Square, formerly known as Superion, it was rumored that in 2017 the local government payment service may have been subject to a data breach. The rumors were confirmed in September 2018 when FireEye published an article detailing the breach. According to researchers the hackers deployed a new, never seen before malware strained designed to scrape payment card details from US citizens.

Researchers suggested that the new malware strains, Firealarm and Spotlight, were able to parse logs for payment card data and extract payment details. Researchers stated that Firealarm is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day represented in a sample command line as evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the file exists the malware then parses the data in order to find account details and a plethora of credit card details including CCV numbers and expiry dates.

Spotlight works in a similar way but researchers concluded that the malware offered the attacker better persistence to the host and continuous collect payment card data, ensuring the mined data would not be lost even if log files were deleted by an administrator. Currently Central Square is still trying to figure out exactly how the data breach took place. The company did deploy a patch in June to resolve the original vulnerabilities the hackers used to infiltrate Click2Gov. It is believed that the breach involved 294,929 payment records having been compromised across at least 46 cities in the US, as well as one in Canada.

Cost of the Breach

While there are still many unknowns which Central Square admits a new report by Gemini Advisory has illuminated some to the actual cost of the breach. Findings by Gemini also further suggests that less than 50 percent of cities which have lost customer data either know or have publicly disclosed data breaches occurring at their sites. The most important finding relates to how much the hackers themselves have earned. The company said that by selling this information in the Dark Web, the threat actors have earned themselves at least 1.7 million USD.

Researchers were able to find that certain local systems are still having security incidents. Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa, have all reported utility payment portal data breaches in the last three months and payment data from those mentioned has been found for sale on the Dark Web. Out of the 20 reported breaches Gemini could confirm that, in total, at least 111,860 payment cards were compromised. In each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of 10 USD per card.

Gemini Advisory has been working closely with Central Square as well as Federal Law Enforcement, to help find those responsible and how the breach actually occurred. According to Central Square, the initial vulnerability which was identified in 2017 had been successfully dealt with. However, it seems the hackers found another undetected vulnerability, which still has to be patched. Central Square has also stated that only users who key-in their payment card details appear to be susceptible to the card interception attacks, meaning that users who make use of the automated pay service are unaffected. Researchers have been able to track two hackers via the Dark Web marketplace used to sell the card details. It is believed that they are both likely to be part of a wider criminal ring.

Remediation

Gemini Advisory recommends that,

“Thus, Gemini Advisory suggests that users who are directed to pay through the Click2Gov system identify alternative means of making payments until the system threat has been eliminated. Moreover, all local municipalities that utilize the Click2Gov software should confirm that the software is up-to-date and fully patched, and contact CentralSquare immediately if assistance is needed. Gemini Advisory is monitoring the development of the Click2Gov incident closely, and in the case that new victims are identified, all clients will be notified accordingly.”

A recent article published by Fortune on the matter further advised users of Click2Gov that all the measures to prevent identity theft should be followed including the need to replace their cards and possible damage to their credit scores. The breaches were unlikely to result in financial loss for the users whose cards have been compromised. This is mainly due to the reason that banks and credit cards foot the bill in cases of stolen data.

The actual data breach will prove to be a novel one for two reasons, the exploiting of an unknown vulnerability and the use of never seen before malware. What is not novel is the method the hackers use to cash in on the stolen data. Again and again, security researchers see the data for sale on the Dark Web and by all accounts, it is still incredibly profitable.